To protect enterprise mailbox data and support flexible work, administrators can use the Alibaba Mail domain management console to configure access permissions for third-party clients (such as Outlook and Foxmail), enforce secure passwords for those clients, and manage service agreements. These settings help prevent account compromise.
Prerequisites
You have an Alibaba Mail administrator account (postmaster@domain-name) or a delegated administrator account with domain management permissions.
You understand your organization’s internal security and compliance requirements. For example, you know whether employees are allowed to receive company email on personal devices.
Set third-party client logon permissions
By default, the high-security policy blocks third-party clients. Only the web interface and the official Alibaba Mail app are allowed. To use software such as Outlook, you can manually enable third-party client logon permissions for specific business needs.
Feature overview
Disable (block): Default policy for new customers. Members cannot log on using third-party clients. If they try, the client shows an authentication failure or connection error. The web interface and the official Alibaba Mail app are unaffected.
Enable (allow): Members can configure and log on to Alibaba Mail using any third-party client that supports standard protocols.
Procedure
Log on to the Alibaba Mail domain admin platform with the administrator account (postmaster). (Choose the logon URL for your site.)
Singapore
China (Hong Kong)
Germany
United States
In the navigation pane on the left, choose .
Find the setting.
Allow: Turn on the toggle (
).Not allowed: the shutdown switch (
).
Click Save in the top-left corner of the page.
Verify the result: After blocking third-party clients, try adding a corporate account to your phone’s built-in mail app. You should see a server connection error or a username or password error.
Enforce secure passwords for third-party clients
If users need third-party email clients, enable this setting to improve account security.
When enforced, third-party client login credentials are separated from the root account password. Even if client configuration details leak, attackers obtain only a revocable dedicated password—not your real mailbox password. This helps prevent account misuse.
Feature overview
After enabling this setting, members must use a “third-party client secure password” generated separately in the web interface. They cannot use their mailbox logon password to configure third-party clients.
Procedure
Log on to the Alibaba Mail domain admin platform with the administrator account (postmaster). (Choose the logon URL for your site.)
Singapore
China (Hong Kong)
Germany
United States
Go to .
Find the setting and turn on the toggle.
Set the scope:
All members: All members must use a secure password.
Specific departments and accounts only: Click Open selection box, then select the departments or employees to which this rule applies.
(Optional) Add exceptions: If you apply the rule to all members but some special accounts—such as a printer that scans documents to email—do not support this protocol, add them to the exception list.
Click Save in the top-left corner of the page.
Important notes:
After enabling this policy, existing third-party client connections stop working immediately. Clients show a password error.
Notify users in advance. They must log on to the web interface, go to , generate a new password, and replace the old one in their client.
Configure client access IP address whitelist
Use an IP address whitelist to restrict third-party client access to specific public IP addresses—such as your corporate network. This blocks connection attempts from untrusted networks and ensures email access only from secure environments. It improves data security.
Configuration Logic
This setting uses a “global block + whitelist exception” model:
Turn off Allow Third-Party Clients globally.
Add your corporate public IP address to Set secure logon IPs.
Result: Only third-party client requests from your corporate IP address are allowed. All others are denied.
Procedure
Log on to the Alibaba Mail domain admin platform with the administrator account (postmaster). (Choose the logon URL for your site.)
Singapore
China (Hong Kong)
Germany
United States
Go to .
Make sure Allow Third-Party Clients is set to Disabled (
).Scroll down to the Set secure logon IPs section.
Enter your company’s public outbound IP address or CIDR range. For example:
1.1.1.1or1.1.1.0/24.Click Save.
Verify the result: Try fetching email while connected to your phone’s hotspot (not your company IP). It should fail. Then switch to your company Wi-Fi. Email fetching should succeed.
Management Mailbox Service Agreement
Manage POP3 and IMAP services as needed. For example, enable IMAP for mobile work but disable POP3 to prevent bulk email downloads to local devices. This reduces data leakage risk.
Protocol overview
POP3: Downloads email to a local device. Often used for local archiving.
IMAP: Syncs email status across multiple devices. Best for mobile work.
SMTP: Sends email.
Procedure
Modify a single account
Log on to the Alibaba Mail domain admin platform with the administrator account (postmaster). (Choose the logon URL for your site.)
Singapore
China (Hong Kong)
Germany
United States
Go to .
Click the employee’s email address. Switch to the Feature Permissions tab. Find the Client settings to manage service agreements. Use one of these two recommended options:
Option 1: Enable both IMAP and SMTP (recommended).
Option 2: Enable both POP3 and SMTP.
Changes save automatically.
Modify multiple accounts
Log on to the Alibaba Mail domain admin platform with the administrator account (postmaster). (Choose the logon URL for your site.)
Singapore
China (Hong Kong)
Germany
United States
Go to .
Select targets: In the employee list, check the departments or individual employee accounts you want to update. Then click Batch Settings.
In the feature list, check POP3/SMTP Service Toggle.
Adjust sub-options as needed:
Block email download: Clear the check box next to Enable POP3/SMTP Service.
Allow synchronized viewing: Keep Enable IMAP/SMTP Service checked.
Click OK to finish.
FAQ
After I disable “Allow Third-Party Clients”, can users still log on to the web interface?
Yes. This setting only blocks third-party client software such as Outlook, Foxmail, and Mac Mail. It does not affect the Alibaba Mail web interface or the official Alibaba Mail app.
Why does my client show “password error” after I enable “Enforce Secure Password”?
This is expected. After enabling this feature, the original mailbox logon password stops working in third-party clients. Users must log on to the web interface, generate a new “third-party client secure password”, and replace the old password in their client.
Even though I disabled third-party clients, why can employees still receive email on their phones?
Check whether employees are using the Alibaba Mail app. The Alibaba Mail app is treated as a secure client and is not blocked by the “disable third-party clients” policy. If employees use their phone’s built-in “Mail” app, verify whether an IP address whitelist is configured—or whether the policy has not yet taken effect (it usually takes a few minutes).
What happens when employees travel after I set up an IP address whitelist?
If you enable an IP address whitelist and block third-party clients on external networks, employees outside the whitelisted IP range—such as while traveling or working from home—cannot use third-party clients. Guide them to use the web interface or the official Alibaba Mail app for mobile work.